ENTERPRISE SYSTEM MANAGEMENT SECURITY CHECKLIST Version 1 Release 1.3 10 APRIL 2007 Developed by DISA for the DOD UNCLASSIFIED ESM Security Checklist V1R1.3 D ISA Field Security O perations 10 April 2007 Developed by DISA for the DoD TABLE OF CONTENTS 1. INTRODUCTION....................................................................................................................3 1.1 The Scope of a Review......................................................................................................3 1.2 Pre-Review Activities........................................................................................................4 1.3 Recording Results..............................................................................................................6 1.6 Organization of the Checklist............................................................................................7 2. SRR REPORT..........................................................................................................................9 2.1 Reviewer Information......................................................................................................10 2.2 Site / Organization Information.......................................................................................10 2.3 ESM Systems Information..............................................................................................11 2.5 ESM Server Overview.....................................................................................................11 3. VMS 6.0 ESM Procedures...................................................................................................13 4. CHECKLIST INSTRUCTIONS – ESM Policy Checks........................................................20 5. CHECKLIST INSTRUCTIONS – SMS Server Checks........................................................48 6. CHECKLIST INSTRUCTIONS – SMS Client Checks.........................................................76 7. CHECKLIST INSTRUCTIONS – Tivoli Management Enterprise Checks........................102 8. CHECKLIST INSTRUCTIONS – Tivoli Management Framework Checks......................105 9. CHECKLIST INSTRUCTIONS – Tivoli Enterprise Console Checks................................139 10. CHECKLIST INSTRUCTIONS – Tivoli Monitoring Checks............................................155 11. CHECKLIST INSTRUCTIONS – Tivoli Configuration Manager Checks.........................166 12. CHECKLIST INSTRUCTIONS – Tivoli Monitoring for Business Integration Checks.....182 UNCLASSIFIED Page 2 of 188 ESM Security Checklist V1R1.3 D ISA Field Security O perations 10 April 2007 Developed by DISA for the DoD 1. INTRODUCTION This document contains procedures that enable qualified personnel to conduct an Enterprise System Management (ESM) Security Readiness Review (SRR). The ESM SRR assesses compliance, in part, with DISA’s Recommended Standard Application Security Requirements (Version 1.1 dated May 2006). In order to streamline the SRR process, this Checklist does not cover all of the requirements in that document. DISA Field Security Operations (FSO) conducts ESM SRRs to provide a minimum level of assurance to DISA, Joint Commands, and other Department of Defense (DOD) organizations that their ESM applications are reasonably secure against attacks that would threaten their mission. The complexity of most mission critical ESM applications precludes a comprehensive security review of all possible security functions and vulnerabilities in the time frame allotted for an ESM System SRR. Nonetheless, the SRR helps organizations address the most common ESM vulnerabilities and identify information assurance (IA) issues that pose an unacceptable risk to operations. 1.1 The Scope of a Review An ESM Application SRR encompasses the IA control subject areas defined in Department of Defense (DoD) Instruction 8500.2. These subject areas are as follows: • Security Design and Configuration • Identification and Authentication • Enclave and Computing Environment • Enclave Boundary Defense • Physical and Environmental • Continuity • Vulnerability and Incident Management. During a full ESM application review, a SRR is performed on each of the components listed above in addition to the ESM application itself. For example, if the application infrastructure consisted of a front-end web server running on Windows and a backend database running on UNIX, then the full review would consist of Web Server, Database, Windows, and UNIX SRRs in addition to the ESM SRR. If this review is a full system baseline all components will be evaluated. If this review is an ST&E validation or a re-accreditation and current reviews exist for these components, only the vulnerability scan needs to be completed at the time of the ESM review. A current review is defined as a review performed based upon the current STIG. A review is also deemed to not be current if the operating system or component has been reinstalled since the last SRR. UNCLASSIFIED Page 3 of 188 ESM Security Checklist V1R1.3 D ISA Field Security O perations 10 April 2007 Developed by DISA for the DoD As security is only as strong as its weakest link, a complete security review should involve both the client and server components of the ESM application. 1.2 Pre-Review Activities This document specifies duties to be completed by a team lead and a reviewer. In some cases, this may be the same person. To make best use of time on-site, the team lead should perform the following activities prior to arrival, listed in suggested sequence order: • Work with site to identify personnel to assist the reviewer with the ESM SRR (one or more individuals available to answer the reviewer’s questions. • Determine scope of review (what systems, software and features will or will not be included) • Obtain an inventory and diagram of all the in-scope components of the ESM infrastructure (OS, database, third-party middleware, libraries and other components), including version information. • Obtain and review the System Security Authorization Agreement (SSAA), especially its Disaster recovery plans and Diagrams and a description of the environment. • Obtain a matrix of user types and associated functions within the ESM. • Obtain dataflow of the ESM functions and network diagrams showing all firewalls and IDS descriptions as well as additional enclave boundaries that the ESM controls. • Obtain signed SRR coordination memo in which site management accepts the review’s scope and the operational risk associated with performing the review. The reviewer should perform the following activities prior to arrival, listed in suggested sequence order: • Obtain necessary approvals for physical and logical access to in-scope components. Submit appropriate DD Form 2875s for access to the site. • Acquire a general knowledge of the ESM, including what it does and the user community it serves. • Review the matrix of user types and associated functions within the ESM. • Review dataflow diagram. UNCLASSIFIED Page 4 of 188 ESM Security Checklist V1R1.3 D ISA Field Security O perations 10 April 2007 Developed by DISA for the DoD • Assist Team Lead in determining the scope of the review. The term “ESM representative” is used hereafter to denote personnel to assist the reviewer with the ESM SRR. The representative may be an ESM administrator, IAO, Systems administrator or other individual with sufficient knowledge and access to the ESM and ESM applications to permit the reviewer to complete the review. In some cases, the ESM representative role may be split among multiple individuals. UNCLASSIFIED Page 5 of 188 ESM Security Checklist V1R1.3 D ISA Field Security O perations 10 April 2007 Developed by DISA for the DoD 1.3 Recording Results Once information is gathered and evaluated, the reviewer can record findings of Vulnerabilities in the Checklist SRR Results Report included later in this document. Results are also entered into the Vulnerability Management System (VMS). Create the asset as a unique entity in the Computing branch and then add the proper targets to the Asset Posture. UNCLASSIFIED Page 6 of 188 ESM Security Checklist V1R1.3 D ISA Field Security O perations 10 April 2007 Developed by DISA for the DoD 1.6 Organization of the Checklist The remainder of the document is divided into the following sections: • Section 2 (SRR Report) provides a form on which reviewer will document contacts, the overall components of ESM and the ESM configuration. • Section 3 (VMS 6.0 ESM Procedures) • Section 4 (Checklist of all ESM Policy Entries) • Section 5 (Checklist of all SMS Server Entries) • Section 6 (Checklist of all SMS Client Entries) UNCLASSIFIED Page 7 of 188 ESM Security Checklist V1R1.3 D ISA Field Security O perations 10 April 2007 Developed by DISA for the DoD This page is intentionally left blank UNCLASSIFIED Page 8 of 188 ESM Security Checklist V1R1.3 D ISA Field Security O perations 10 April 2007 Developed by DISA for the DoD 2. SRR REPORT Unclassified UNTIL FILLED IN CIRCLE ONE FOR OFFICIAL USE ONLY (mark each page) CONFIDENTIAL and SECRET (mark each page and each finding) Classification is based on classification of system reviewed: Unclassified System = FOUO Checklist Confidential System = CONFIDENTIAL Checklist Secret System = SECRET Checklist Top Secret System = SECRET Checklist UNCLASSIFIED Page 9 of 188 ESM Security Checklist V1R1.3 D ISA Field Security O perations 10 April 2007 Developed by DISA for the DoD 2.1 Reviewer Information Reviewer Name Commercial: DSN: Reviewer Phone number Reviewer e-mail Reviewer SIPRNet e-mail ESM STIG version ESM Checklist version Date of review Date of report 2.2 Site / Organization Information Organization Name Primary Address Street Address City, State ZIP IAO Name: E-mail Address: SIPRNet Address: Commercial DSN: Phone # ESM System Admin Name: ESM System Admin e-mail: ESM System Admin SIPRNet e-mail: Commercial: DSN: ESM System Admin Phone # UNCLASSIFIED Page 10 of 188